From ee411778da0ff99808a8ee257c718dcb24739a7f Mon Sep 17 00:00:00 2001
From: Trygve Laugstøl <trygvis@inamo.no>
Date: Mon, 7 Jan 2019 16:05:40 +0100
Subject: wireguard: Rewrite.
---
ansible/roles/wireguard/defaults/main.yml | 1 -
ansible/roles/wireguard/tasks/main.yml | 141 ++++++++++++------------------
2 files changed, 55 insertions(+), 87 deletions(-)
(limited to 'ansible/roles')
diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml
index 9b1bf59..824e765 100644
--- a/ansible/roles/wireguard/defaults/main.yml
+++ b/ansible/roles/wireguard/defaults/main.yml
@@ -1,2 +1 @@
wireguard__state: present
-wireguard__role: client
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index 3590636..9c4cf24 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -1,11 +1,15 @@
+- debug: var=wireguard__state
+
- tags:
- wireguard
become: yes
when: wireguard__state == 'present'
vars:
- wg_if: "wg-{{ wireguard__net_id }}"
- netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev"
- network_path: "/etc/systemd/network/61-{{ wg_if }}.network"
+ wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}"
+ wg_host: "{{ wg_net.hosts[ansible_hostname] }}"
+ all_peers: "{{ wg_host.peers is defined and wg_host.peers == 'all' }}"
+ netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev"
+ network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network"
block:
- name: Install packages
tags: packages
@@ -28,110 +32,75 @@
path: /etc/wireguard
state: directory
- - name: wg genkey /etc/wireguard/private.key
+ - name: "wg genkey /etc/wireguard/private-{{ wg_net.if }}.key"
tags: wireguard-config
- shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
+ shell: wg genkey | tee /etc/wireguard/private-{{ wg_net.if }}.key | wg pubkey > /etc/wireguard/public-{{ wg_net.if }}.key
args:
- creates: /etc/wireguard/private.key
+ creates: /etc/wireguard/private-{{ wg_net.if }}.key
register: wg_private_key_gen
- when: wg_private_key_gen.changed
tags: wireguard-config
fetch:
- src: "/etc/wireguard/public.key"
+ src: "/etc/wireguard/public-{{ wg_net.if }}.key"
dest: "files"
- tags: wireguard-config
slurp:
- src: "/etc/wireguard/private.key"
+ src: "/etc/wireguard/private-{{ wg_net.if }}.key"
register: wg_private_key
- - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client)
- when: wireguard__role == 'client'
+ - name: "Make {{ netdev_path }}"
notify: systemctl restart systemd-networkd
tags: wireguard-config
copy:
dest: "{{ netdev_path }}"
content: |
[NetDev]
- Name={{ wg_if }}
+ Name={{ wg_net.if }}
Kind=wireguard
- Description=Net id: {{ wireguard__net_id }}
+ Description=Wireguard VPN
[WireGuard]
PrivateKey={{ wg_private_key['content'] | b64decode }}
+ {% if wg_host.listen_port is defined %}
+ ListenPort={{ wg_host.listen_port }}
+ {% endif %}
+ {% for hostname in wg_net.hosts|sort %}
+ {% set host = wg_net.hosts[hostname] %}
+ {% set present = not (host.state is defined) or host.state == 'present' %}
+ {% if present and (all_peers or host.endpoint is defined) %}
[WireGuardPeer]
- PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }}
- AllowedIPs=0.0.0.0/0
- AllowedIPs=::/0
- Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }}
+ PublicKey={{ lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }}
+ AllowedIPs={{ "0.0.0.0/0" if host.endpoint is defined else host.ipv4 }}
+ AllowedIPs={{ "::/0" if host.endpoint is defined else host.ipv6 }}
+ {% if host.endpoint is defined %}
+ Endpoint={{ host.endpoint }}:{{ host.listen_port }}
+ {% endif %}
PersistentKeepalive=60
-
- - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server)
- when: wireguard__role == 'server'
- notify: systemctl restart systemd-networkd
- tags: wireguard-config
- copy:
- dest: "{{ netdev_path }}"
- content: |
- [NetDev]
- Name={{ wg_if }}
- Kind=wireguard
- Description=Net id: {{ wireguard__net_id }}
-
- [WireGuard]
- PrivateKey={{ wg_private_key['content'] | b64decode }}
- ListenPort={{ wireguard__listen_port }}
-
- {% for c in wireguard__clients|sort %}
- {% set client = wireguard__clients[c] %}
- # Client: {{ c }}
- {% if client.state == 'present' %}
- [WireGuardPeer]
- PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }}
- AllowedIPs={{ client.ipv4 }}
- AllowedIPs={{ client.ipv6 }}
- {% else %}
- # absent
{% endif %}
-
{% endfor %}
- - name: Make /etc/systemd/network/61-wg-XXX.network (Client)
- when: wireguard__role == 'client'
- tags: wireguard-config
- notify: systemctl restart systemd-networkd
- copy:
- dest: "{{ network_path }}"
- content: |
- [Match]
- Name={{ wg_if }}
-
- [Network]
- Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }}
- Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }}
-
- - name: Make /etc/systemd/network/61-wg-XXX.network (Server)
- when: wireguard__role == 'server'
+ - name: "Make {{ network_path }}"
tags: wireguard-config
notify: systemctl restart systemd-networkd
copy:
dest: "{{ network_path }}"
content: |
[Match]
- Name={{ wg_if }}
+ Name={{ wg_net.if }}
[Network]
- Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }}
- Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }}
+ Address={{ wg_net.hosts[ansible_hostname].ipv4 }}/{{ wg_net.ipv4_prefix }}
+ Address={{ wg_net.hosts[ansible_hostname].ipv6 }}/{{ wg_net.ipv6_prefix }}
- name: UFW allow port
- when: wireguard__role == 'server'
+ when: wg_host.listen_port is defined
tags: wireguard-config
ufw:
rule: allow
- port: "{{ wireguard__listen_port }}"
+ port: "{{ wg_host.listen_port }}"
proto: udp
- tags:
@@ -139,31 +108,31 @@
become: yes
when: wireguard__state == 'absent'
vars:
- wg_if: "wg-{{ wireguard__net_id }}"
- netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev"
- network_path: "/etc/systemd/network/61-{{ wg_if }}.network"
+ wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}"
+ netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev"
+ network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network"
block:
- - file:
- path: /etc/wireguard
- state: absent
- notify: systemctl restart systemd-networkd
-
- - file:
- path: "{{ netdev_path }}"
- state: absent
- notify: systemctl restart systemd-networkd
-
- - file:
- path: "{{ network_path }}"
+ - name: Remove old files
+ file:
+ path: "{{ item }}"
state: absent
notify: systemctl restart systemd-networkd
-
- - shell: "ip -j link show {{ wg_if }}"
+ with_items:
+ - /etc/wireguard/private-{{ wg_net.if }}.key
+ - /etc/wireguard/public-{{ wg_net.if }}.key
+ - "{{ netdev_path }}"
+ - "{{ network_path }}"
+
+ - name: Checking for interface
+ shell: "ip -j link show"
changed_when: False
register: ip_link
- - shell: "ip -j link delete {{ wg_if }}"
- when: ip_link.stdout_lines|length != "0"
+ - name: Removing interface
+ shell: "ip -j link delete {{ wg_net.if }}"
+ when: links[wg_net.if] is defined
+ vars:
+ links: "{{ ip_link.stdout | from_json | items2dict(key_name='ifname', value_name='ifname') }}"
- name: generate dns records
tags:
@@ -172,7 +141,7 @@
local_action:
module: copy
content: |
- wireguard_dns_records_{{ wireguard__net_id }}:
+ wireguard_dns_records_{{ wg_net.if }}:
{% for c in wireguard__clients|sort %}
{% set client = wireguard__clients[c] %}
- type: A
@@ -184,4 +153,4 @@
value: {{ client.ipv6 }}
state: {{ client.state }}
{% endfor %}
- dest: "files/wireguard-dns-records-{{ wireguard__net_id }}.yml"
+ dest: "files/wireguard-dns-records-{{ wg_net.if }}.yml"
--
cgit v1.2.3